Gossamer Forum: General: Internet Technologies: Lock SSH

Aug 7, 2002, 4:16 AM

Andy

Veteran / Moderator (18441 posts)

Aug 7, 2002, 4:16 AM

Post #1 of 9

Shortcut

Lock SSH

Hi...does anyone know of any good sites that walk you through how to limit the access of a SSH user? At the moment, a user can go back on my server to the /usr/ folder, and then get into other people folders, etc. I would like to limit them to their folders...

I've had a look around...but didn't have much luck. Maybe someone who has done it before, or seen a page around, could help me Unsure

Cheers

Andy (mod)
andy@ultranerds.co.uk

Aug 7, 2002, 4:24 AM

Wil

Veteran / Moderator (4108 posts)

Aug 7, 2002, 4:24 AM

Post #2 of 9

Shortcut

Re: [Andy] Lock SSH In reply to

That's to do with permissions on your server, Andy. You need to set up permissions correctly for the directories in your /usr directory. On most servers people are able to view a directory listing of /usr or /home but not actually be able to go into those directories. Those directories should be owned by whatever user they're assigned to and other users shouldn't be able to view or access other user's home directories. You're probably just creating home directories with incorrect ownership and permissions.

- wil

Aug 7, 2002, 4:27 AM

Andy

Veteran / Moderator (18441 posts)

Aug 7, 2002, 4:27 AM

Post #3 of 9

Shortcut

Re: [Wil] Lock SSH In reply to

I didn't create anything...Plesk does it all. Are you saying I need to CHOWN the directory below the /home to another user, say 'root' so that they can't get below that?

Andy (mod)
andy@ultranerds.co.uk

Aug 7, 2002, 4:35 AM

Andy

Veteran / Moderator (18441 posts)

Aug 7, 2002, 4:35 AM

Post #4 of 9

Shortcut

Re: [Andy] Lock SSH In reply to

Mmm...the folder heirarchy looks like;

/usr/local/psa/home/vhosts/ace-host.com

/vhosts seems to be owned by 'root'...;

drwxr-xr-x 14 root root 4096 Aug 6 09:34 vhosts

And /ace-host.com is owned by root too;

dr-xr-xr-x 13 root apache 4096 Jul 13 18:11 ace-host.com

The httpdocs within ace-host.com is owned by 'ace-host'

drwxr-xr-x 10 ace-host psacln 4096 Aug 7 06:39 httpdocs

Even though they are owned by different users, they still are accessabe when logging in under another SSH account. Is this right?

Cheers

Andy (mod)
andy@ultranerds.co.uk

Aug 7, 2002, 9:08 AM

Aki

Staff / Moderator (429 posts)

Aug 7, 2002, 9:08 AM

Post #5 of 9

Shortcut

Re: [Andy] Lock SSH In reply to

Maybe see if you can "chroot" the login shell.

Aug 7, 2002, 9:19 AM

Paul

Veteran (19537 posts)

Aug 7, 2002, 9:19 AM

Post #6 of 9

Shortcut

Re: [Aki] Lock SSH In reply to

http://chrootssh.sourceforge.net/

Aug 7, 2002, 5:53 PM

Alex

Administrator (9387 posts)

Aug 7, 2002, 5:53 PM

Post #7 of 9

Shortcut

Re: [Andy] Lock SSH In reply to

Try setting the /usr/local/psa/home/vhosts directory to 711 instead of 755. This could break things on your server though, but will disable users from viewing a directory listing.

Cheers,

Alex
--
Gossamer Threads Inc.

Aug 8, 2002, 1:38 AM

Andy

Veteran / Moderator (18441 posts)

Aug 8, 2002, 1:38 AM

Post #8 of 9

Shortcut

Re: [Alex] Lock SSH In reply to

Thanks Alex...I'll give it a go.

Cheers

Andy (mod)
andy@ultranerds.co.uk

Aug 8, 2002, 2:12 AM

Andy

Veteran / Moderator (18441 posts)

Aug 8, 2002, 2:12 AM

Post #9 of 9

Shortcut

Re: [Andy] Lock SSH In reply to

Nope...didn't work :(

Andy (mod)
andy@ultranerds.co.uk